my box setup only have 1 nic detected as em0,i will add more ethernet card as soon i finished all the server setup,for know the nic i used both for internal and internet traffic,search arround found an article on : http://bash.cyberciti.biz/firewall/pf-firewall-script/ , added some slight modification,here we goes :

as you can see there is 3 error,but i have no idea to debug the error,like the first error if translate correctly 27 as line no? line 27 is empty space,line 54 is this comment "#Block RFC 1918 addresses" ,and 81 is eof :/

Please don't use php code blocks for code which is not actually PHP. The useless colors it produces are distracting, to say the least.

I think there is a line number transposition. Can you upload the file somewhere, rather than copy/paste it? When I run your code through pfctl here, I get syntax errors in lines 4,5,7, and 10.

Your link is invalid, by the way. But it doesn't matter, Stellar. Since I recommended you not use 3rd party "howto" documents, and you ignored my advice, perhaps you could ask the author of the guide you decided to follow for assistance, instead?

It's your damned php block. When I grab the raw text out of the php code block, rather than copy/pasting from the browser, then I can see the correct errors: lines 26 and 78: scrub and a synproxy error

Your "scrub" is in error because, I believe, you are running -current. See the April 6 entry of the Following -current FAQ. See the man page for pf.conf(5).

Your "synproxy modulate state" is in error because synproxy is a state. See the man page for pf.conf(5).

relax man... ,sory i wass asleep for 2 days lol,didn't see when i paste into the ssh client it has some wrong terminated string,thx worked as your advice,here is the config,any advice for redundant rules elimination?,need help to make the security more tight(block port scanner/syn stealth scan?)

attached below,anyway got other problem the pflogd seem writing into /var/log/pflog but strangely the pf cann't pass the log into pflog0 interface as defined on rules.it just nothing happened on pflog0 when iam using tcpdump
my interface

# Allow incoming ssh, http, bind traffic
# pass in on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state
pass inet proto icmp all icmp-type $icmp_types keep state
## add your rule below ##